Findings from day 1

From Gridkaschool
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
  • /etc.bak.tgz <- bkup contains readable /etc/shadow
  • bash-history of user sycorax shows JtR-activity on shadowfile -> possible pw-compromise
  • tmp. directory under /var/tmp/ab7a…, dloaded JtR, exec'd, cracked shadow, changed uid -> admin
  • admin "sudo su -", starts rootkit
  • sycorax changed prompt, reason unknown
  • sycorax compromised
  • CVE-2010-3856, LD_AUDID (.bash_history)
  • lots of info in .bash_history of sycorax. Killed apache.
  • Attacker came from 141.52.174.51
  • glibc to old.
  • Attacker might have used python-expect, needed to change prompt to function
  • netstat -> bind-shell-exec (argv0 mangled). lsof -> pid -> full path to executable. strings -> password
  • dload of rds-exploit -> root-compromise.
  • /bin/ping compromised (suid-binary). Used for race-condition-exploit.

Addendum from Leif: The last point is, of course, not correct. That the ctime on /bin/ping has changed is just a byproduct of the CVE-2010-3847 (not 3856) exploit. The file contents are not changed, as can easily be checked with "rpm -Vf /bin/ping". The original write-up on CVE-2010-3847 is worth a read, even if one does not understand all details: http://seclists.org/fulldisclosure/2010/Oct/257

Retrieved from "https://wiki.scc.kit.edu/gridkaschool/index.php?title=Findings_from_day_1&oldid=719"